Learning about software vulnerabilities, CVE entries and NVD (US vulnerabilities database)
What are software vulnerabilities
The number of devices connected to the Internet is growing every day. And among those devices we find not only computers and smartphones, but also an ever-rising number of cameras, smoke detectors, motion sensors, smart door locks, and let’s not forget that even plant pots. Many households rely on the Internet of Things (IoT) to fully leverage the possibilities brought by the rise of smart home technologies but not everyone is aware of the dangers that may be lurking behind those hi-tech gadgets.
Imagine that an app, designed to let you control your smart home presents serious flaws, or even if it itself is not buggy, it interacts with another app in an unplanned way and leads to hypothetically dangerous results, like disarming your front door alarm on after everybody leaves for work.
It is even more clear in the context of the dangers hidden behind IoT why security has become way more important than anytime before. We are living in a society where cybersecurity has become a true challenge and has to be taken seriously not only by companies but at household level as well.
In the field of cybersecurity, one of the many many threats that put in danger computer systems and networks are software vulnerabilities. It is very common that during the process of building and coding of new technologies, mistakes in the form of bugs remain. Not all of those flaws are harmful, some are never even identified nor exploited. But some of those flaws may be misused by malevolent actors (we could also just call them hackers) to gain unauthorized access or privileges on a computer system. These flaws are commonly called software vulnerabilities.
The CIA Triad
By having security bugs present in code, we might be compromising one or more elements of the so called CIA triad. The CIA triad is an information security model consisting of the following principles:
• Confidentiality – managing the access levels for information, allowing only authenticated and authorized user the access to certain data;
• Integrity – guaranteeing good data “quality”, meaning the information is complete and correct, and that it has not been tampered with
• Availability – making sure data is always readily available to authorized users
In order to keep data protected, none of these principles can be “broken”.
Some common examples of software vulnerabilities
• SQL injection or code injection
Incorrect input validation leaves place for this kind of attacks. If the code does not contain mechanisms to validate user input, hackers may try and insert their code in your HTML form input fields or by directly entering parameters in the URL. In this way, they attempt to gain access to the contents of your database (which may of course contain sensitive data such as user passwords, addresses, emails, etc.).
• Stack buffer overflow
It is one of the oldest and most known vulnerabilities. It is basically a violation of the memory safety caused by overflowing the capacity of the buffer, or better said memory allocation, by writing more data into it that it can fit. This leads to data being written where they do not belong and thus overwriting the original contents.
• Path (directory) traversal
Attackers try to gain access to folders that do not form a part of the website by sending a request for a file or folder which points to the parent directory.
• Cross-Site Scripting (XSS)
Another attack based on malicious code injection. This kind of hack target website visitors. The attackers inject and execute their malicious code (in the form of a browser side script) on otherwise safe and trusted websites. This attack targets situations where a web application relies on user input submitted from within previously generated output without further validation. The user’s browser cannot differentiate which script to trust and which not and will execute it. These malicious scripts’ goal is often to access cookies, session tokens which are saved in the browser.
• Cross-Site Request Forgery (CSRF) aka “one-click attack” or session riding
This vulnerability consists in tricking an authenticated user into submitting a request without their knowledge. The hacker first prepares a malicious web request to a website that the user has privileged access to. Most web browsers include automatically all the cookies used by a given domain in any web request sent to that domain. This is then exploited during a CSRF attacks, when the web server is tricked by these automatically included cookies into thinking that the hacked request submitted by the user is legit and thus it will carry out the requested action.
What happens after a vulnerability is discovered?
After a new vulnerability is discovered, the MITRE Corporation (the corporation responsible for maintaining the CVE List) registers it as a CVE entry. CVE stands for Common Vulnerabilities and Exposures. It is basically a dictionary of publicly disclosed cybersecurity vulnerabilities and exposures that is free to search, use and incorporate into products and services. Entries in CVE are also called CVE Identifiers," "CVE IDs," "CVE names," "CVE numbers," or "CVEs". These entries are added by the so called CNA (CVE Numbering Authorities). Currently there are 124 CNAs distributed in 24 countries worldwide. CNAs can be Vendors, Projects or Vulnerability Researchers or Bug Bounty Programs National and Industry CERTs. Basically every major tech-company is among the list, including Chrome, Facebook, IBM, Kaspersky, and suchlike.
Each CVE Entry is assigned a CVE ID number (e.g.:CVE-2020-12345) and also a brief description of the vulnerability as well as the exploit. Also, it is marked with one of the following states:
• RESERVED – this state is the first through which a new CVE entry goes through. After a CNA or security researcher detects a new vulnerability, they request its entry in the CVE list by reserving it. After the requester submits all the details on the new vulnerability, the CVE, rated with the corresponding CVSS score will become available in the NVD (US national vulnerability database).
• DISPUTED – this state is assigned to a CVE entry when there are doubts about whether the discovered issue is or is not a vulnerability.
• REJECT - this state is assigned when a CVE Entry is not accepted as a CVE Entry. Meaning that it is not a CVE Entry and should be ignored. The reasons for this state are predominantly of administrative nature, like for example because it is a duplicate of an existing CVE Entry, or the requester has withdrawn his request or it was assigned incorrectly, etc.
As we said previously, after a successful CVE registration in the MITRE CVE List, it is included into the US National Vulnerability Database (NVD). While in the CVE list managed by MITRE we only find very sparse information on the vulnerability in question, the NVD provides us with much more details, including advice on how to fix it, and prepares a more elaborated security analysis. It is also responsible for assigning a score, according to the Common Vulnerability Scoring System (CVSS). The CVSS is a number from 0 to 10 which indicates how great the potential risk resulting from the vulnerability is.
Both MITRE as well as NVD are sponsored by US Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA). They are available to all public and free to use. Even though they are separate entities, they always work together, so that changes made in the CVE list are directly reflected in NVD.
How to protect our system from potential security attacks
As always, the best remedy is prevention. In this case it’s advisable to take an proactive approach and install a vulnerability scanner on your system. These scanners work by scanning your environment and comparing it with a list of known vulnerabilities, such as the CVE list we mentioned previously. The process of scanning should always be done systematically and on a regular basis.
Also, more tech savvy users can try and do some penetration testing so they discover possible weak spots in their system.
Image from Pixabay.
Originally coming from a marketing background, decided to turn her life around and immerse herself into the wonderful exciting and most importantly – never boring world of technology and web development. Proud employee at MA-NO . Easily loses track of time when enjoying working on code. Big fan of Placebo, cats and pizza.
The ultimate cybersecurity checklist for programmers
In today's digital age, cybersecurity has become an essential concern for programmers. With cyber threats on the rise, it is crucial for programmers to adopt robust security practices to protect…
Security of Internet providers: can we trust it?
This year has been a time of many changes. Now, more people are connected to the Internet through their home routers for teleworking, shopping, or leisure. This is where the…
What cybersecurity professionals have learned from the lockdown experience
The COVID-19 pandemic has radically changed the rules of the game for most companies and individuals in a very short time; it has also changed the international computing universe. Sudden…
Web shells as a security thread for web applications
Over the past two decades, web applications as an alternative to traditional desktop application have been on to rise. As their name suggests, they are installed on web servers and accessed…